A critical privacy vulnerability has been uncovered in the app developed by Lovense, a well-known brand in the Internet-connected sex toy industry. The flaw potentially exposes the private email addresses of users, creating significant concerns regarding user safety, privacy, and the risk of targeted harassment.
Discovery and Details of the Vulnerability
The issue was brought to light by security researcher BobDaHacker, who found that the app’s communication protocols allow anyone with knowledge of a user’s public Lovense username to retrieve their registered email address. Since usernames are often shared publicly on forums or social media, this vulnerability puts a substantial number of users at risk of identification and unwanted contact.
The technical root of the vulnerability lies in how the app exchanges data with Lovense’s servers. When users perform certain actions within the app—such as muting another user—network analysis tools can intercept and display email addresses embedded in data packets. More alarmingly, attackers can manipulate these network requests to pair any public username with its corresponding private email address. This means that no direct access to the app or company infrastructure is necessary; a username alone is sufficient to exploit the flaw.
Response from Lovense and Remaining Risks
Researchers first reported the vulnerability to Lovense over four months ago. While the company did address a separate, critical account hijacking issue during that period, the flaw related to email address exposure has not been fully remediated as of the latest reporting. This ongoing risk leaves users vulnerable to doxxing, harassment, and other forms of online abuse or blackmail.
